Stefan Esser discovered that the implementation of the max_input_varsconfiguration variable in a recent PHP security update was flawed suchthat it allows remote attackers to crash PHP or potentially executecode.

This update adds packages for the oldstable distribution, which weremissing from the original advisory. The problem has been fixed inversion 5.2.6.dfsg.1-1+lenny16, installed into the security archiveon 3 Feb 2012.

For the stable distribution (squeeze), this problem has been fixed inversion 5.3.3-7+squeeze7.

For the unstable distribution (sid), this problem has been fixed inversion 5.3.10-1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/